On Monday, markets regulator Sebi proposed a framework for adopting cloud services by stock exchanges, clearing firms and other regulated entities.
The Cloud Framework was drafted to provide baseline security standards and ensure Regulated Entity (RE) compliance with laws and regulations. This will be in addition to Sebi’s existing circulars/guidance/advice.
“The main purpose of the framework is to highlight the key risks and mandatory controls that REs need to implement before adopting cloud computing. The document also specifies the regulatory and legal compliance of REs when adopting such solutions,” it said in a circular.
The framework will be effective immediately for all new or proposed cloud onboarding assignments/projects for RE.
REs currently using cloud services should ensure that all such arrangements are amended where applicable and should comply with the framework within 12 months.
Recently, the reliance on cloud computing for the delivery of IT services has been on the rise.
“While cloud computing offers multiple advantages such as ready scalability, ease of deployment, no overhead of maintaining physical infrastructure, etc., REs should also be aware of new cybersecurity risks, and challenges that cloud computing brings,” Sebi noted.
According to the regulator, the Cloud Framework is a principles-based framework covering governance, risk and compliance (GRC), selection of cloud service provider (CSP), data ownership and data localisation, due diligence of REs, security control, legal and regulatory obligations, etc.
REs include depository institutions, stockbrokers on exchanges, asset management companies (AMCs)/mutual funds, and KYC registration agencies (KRAs).